Hello and welcome to the Wednesday, October 12, 2020 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Riyadh, Saudi Arabia.

Today, of course, is Microsoft patched Tuesday, and we got patches for 96-4101 billies, which does include the chromium patches

for Microsoft Edge that actually came out earlier this month, but are included sort of as part

of the set of patches. 13 of the patches are rated critical, 71 important, and one patch is rated as moderate.

But the real news everybody's waiting for, of course, was a patch for Microsoft Exchange,

and, well, that already exploited vulnerability is not being patched this month.

As part of the Exchange Server October 22 security update,

Microsoft states that the October 22 SUs do not include a patch for these vulnerabilities.

So that's CVE 202040 and CVE 2022VE 2022 41082. The post then refers to the

workaround published earlier and a couple of times already updated and states that the patches

will be released when they are ready. So apparently it does take a

bit longer. It's a bit more of a complicated patch. One vulnerability is CVE 224103, a Windows

Com Plus event system service elevation of bridge vulnerability. Well, it's already being exploited and then we do

have another patch CVE 2022 41043, Microsoft Office Information Disclosure vulnerability, not yet

exploited, but already publicly known before the patch was released today.

Also, kind of interest are that there were a number of vulnerabilities in the Windows point-to-point

tunneling protocol that were rated critical and that may lead to code execution.

Exploitation, however, is rated as less likely for them. And then we have one

vulnerability, an elevation of bridge vulnerability in Asia Arc enabled Kubernetes Cluster Connect,

and that one was rated with a perfect 10.0 CVSS score.

Overall, nothing here that I would say sticks out as an immediate must patch.

...